All subdomains of a forbidden domain are forbidden as well.

2026-05-16 12:11:34 +00:00 · 2025-09-22 20:00:54 +00:00
parent f0b19debdc
commit b1c372ea54
1 changed files with 2 additions and 1 deletions
--- a/src/auth.go
+++ b/src/auth.go
@@ -379,7 +379,8 @@ func CheckForbiddenDomain(r *http.Request) error {

 	host = strings.ToLower(host)
 	for _, reservedDomain := range config.Limits.ForbiddenDomains {
-		if host == strings.ToLower(reservedDomain) {
+		reservedDomain = strings.ToLower(reservedDomain)
+		if host == reservedDomain || strings.HasSuffix(host, fmt.Sprintf(".%s", reservedDomain)) {
 			return AuthError{http.StatusForbidden, "forbidden domain"}
 		}
 	}